Using SSL-Secured Connection

MySQL can use SSL to encrypt network connections between the database server and a client. This facility must be enabled in your server at compile time, and to check whether it is available run the following command:

SHOW VARIABLES LIKE 'have_openssl'; 

The result either shows Yes or No alongside this variable, indicating whether the facility is available. If it is not, you must recompile your MySQL server using the --with-vio and --with-openssl configure switches.

Note

Since MySQL 5.0.10, MySQL has built-in support for SSL-encrypted network connections, using yaSSL. To activate this at compile time, use --with-yassl=yes. Usage is otherwise the same as the OpenSSL version.

To establish an encrypted SSL connection, you must already have three certificate files, or be able to generate them: a Certificate Authority (CA) certificate, a server certificate, and a client certificate.

Add the following lines to the [mysqld] section of the my.cnf to specify the locations of each of the SSL certificate files that are to be used for a connection to your server:

ssl-ca=/path/to/CA-cert ssl-cert=/path/to/server-cert ssl-key=/path/to/client-cert 

The client settings can be added to the [client] section of my.cnf, and are identical to the server settings. You must use the same three certificate files for the client as for the server.

Alternatively, you can specify each certificate as a command-line argument to mysql:

mysql --ssl-ca=/path/to/CA-cert \       --ssl-cert=/path/to/server-cert \       --ssl-key=/path/to/client-cert